Craftier Trojan Invades 10,000 Web Sites, Stumps Security Pros

The "random js toolkit" is a Javascript code that is created dynamically and provides a random filename that can only be accessed once. As a consequence, it changes every time it is accessed. The dynamic embedding, known as "code obfuscation," is done in such a selective manner that once a user has received a page with the embedded malicious code, it will not be referenced again during future visits.

By Walaika Haskins
01/15/08 2:28 PM PT

A little more than two weeks into 2008, cyber-criminals are up to their same old tricks -- stealing users' private data -- but they have concocted a far more advanced and sophisticated method. They are now embedding their malicious code into legitimate Web sites using Web-hosting servers, according to a report released Monday by
Finjan Software, a provider of secure web gateway products.

More than 10,000 Web sites in the U.S. alone were infected by the latest type of malware attack during the month of December. The attack, dubbed "random js toolkit," is an extremely elusive Trojan that infects a computer user's machine, sending personal data over the Internet to the criminal mastermind. Stolen data can include documents, passwords, surfing habits and any other sensitive information that may be of interest to criminals, Finjan said.

"In mid-year 2007, studies show there were nearly 30,000 new infected Web pages being created every day. About 80 percent of those pages hosting malicious software or containing drive-by downloads with damaging content were located on hacked legitimate sites. Today the situation is much worse," said Yuval Ben-Itzhak, chief technology officer at Finjan.

Clever Criminals

Finjan Software researchers uncovered the cyber-criminals' latest scheme while diagnosing users' Web traffic in December. The "random js toolkit" is a Javascript code that is created dynamically and provides a random filename that can only be accessed once. As a consequence, it changes every time it is accessed.

The dynamic embedding, known as "code obfuscation," is done in such a selective manner that once a user has received a page with the embedded malicious code, it will not be referenced again during future visits or further requests from the same IP (Internet protocol) address. Cyber-criminals store the visiting computer's IP address, so that the JavaScript is no longer referenced in the source HTML (hypertext markup language) of the site. That makes it "almost impossible" for traditional signature-based anti-malware products to detect the malware, Finjan said.

This so-called evasive effect reduces the visibility of the malicious code in order to curtail the chances of detection, while increasing opportunities for infection. A single attack serves over 13 different exploits in an effort to infect a user's computer with malicious Trojans.

"Signaturing a dynamic script is not effective. Signaturing the exploiting code itself is also not effective, since these exploits are changing continually to stay ahead of current zero-day threats and available patches," Ben-Itzhak explained. "Keeping an up-to-date list of 'highly trusted doubtful' domains serves only as a limited defense against this attack vector."

Cyber-criminals can beat the system by maintaining a list of the IP addresses of Web crawlers -- the main feed for updating URL-filtering and reputation services databases -- in their attack data, which enables them to serve legitimate content to the Web crawlers while providing malicious content to every other visitor to the site.

Using random Web page names is another method that prevents filters and reputation services from blacklisting malicious pages. Every visit made to an infected site generates a unique URL that is created and served dynamically. One such infected site that Finjan identified is Berkeley University's "highly trusted" domain.

The random js exploits, part of growing trend from cyber-criminals injecting hidden Iframes/scripts into the pages of legitimate sites, are being sent to a huge audience using Web-hosting servers as their attack vector. Cyber-criminals hijack and take complete control of Web-hosting servers so that each of the hosted domains on the compromised server will deliver the Trojan to unsuspecting end users. Each request made to a hijacked server will result in an additional request for the malicious code, according to Finjan.

Securing the Web

Web threats continue to be the preferred vector for malware as cyber-criminals attempt to attack unsuspecting Web surfers, said Graham Cluley, senior technology consultant at Sophos.

"It is increasingly common for hackers to plant malicious scripts on high-traffic Web sites," he told TechNewsWorld. "Sophos currently sees approximately 6,000 new infected Web pages each day. Only about one in five of these sites are hacker sites, sites which are malicious in intent."

Some 80 percent are hacked sites, or legitimate Web sites that have been compromised by an unauthorized third party. "A particularly successful way to spread a Web infection is to poison advertisements displayed on a wide range of Web sites," Cluley continued.

Banner ads are so effective in transmitting malware that by 2009, advertising networks will be responsible for up to 30 percent of malware on users' desktops, said Avivah Litan, a Gartner analyst.

"It's one of those hidden threats people don't know about -- and there's not an easy solution to it, because what happens is these crooks register as advertisers, and it is almost impossible to screen every advertiser properly," she told TechNewsWorld.

This allows the bad guys to put ads up on the Internet through Google and other advertising engines that will screen the ad when it is initially uploaded -- but after that the malware can be inserted in the ad at any time.

"The ad engines are not cleansing the ads each time they're served. Technically, it is a difficult problem for the ad engines. One, there is not immediately a financial incentive to fix. It hurts the consumer and will not hurt the ad network until people start losing faith in the ad network. But, as the revelations about all the malware in advertising comes out, it is potentially very destructive to the adware model," Litan explained.

"It's the biggest e-commerce security issue in 2008," she concluded.

Many malicious Web pages contain "obfuscated JavaScript" to avoid detection and make analysis harder. The obfuscated scripts typically launch browser exploits that download additional malware components to the system. Detecting and blocking these sites is difficult, because their content varies dramatically," Cluley explained.

Simply preventing access to gambling or pornography Web sites is not sufficient to protect users against these threats. A security solution to protect innocent computer users can help block Web access to these and other Web threats if it examines visited Web pages "on-the-fly," regardless of whether they are considered in a dangerous category or not, to determine if there is any malware hosted on them," he added.